Mass phishing attack launched against dating sites

Fraudsters are stepping up phishing campaigns that target people who use dating websites, suggests research.

Members of Match.com, eHarmony, Zoosk, Christian Mingle and many others had received emails seeking to steal login details for the sites, said Netcraft.

The net monitoring firm said the emails had been sent from other websites, hacked to hide the senders' identity.

Stolen data would be used to befriend other users in an attempt to trick them into handing over cash, it said.

The phishing campaign against dating sites marked a departure for fraudsters, who typically preferred to target banks, said Paul Mutton, a security analyst at Netcraft who investigated the attacks.

The attacks were "massive", he said, adding that in the past week Netcraft had seen more than 100 compromised sites targeting Match.com alone.

So far, he said, it was not clear how sites were being compromised to host the scripts. Websites and servers run by individuals, small businesses, construction firms and telecom suppliers had all become unwitting hosts of the phishing tools, he added.

Mr Mutton said just one compromised site he had seen was home to about 800 short programs or scripts that targeted many different dating sites. Each script looked like it had been generated by a "kit" bought online.

"Anyone with a very basic knowledge of programming could make use of the kit," he said.

Extract cash

The scripts are used to craft phishing emails that are spammed out to potential victims.

The mails seek to trick people into entering their login names for the dating sites.

If successful, the details are passed on to the legitimate login page of a dating website and are also sent to one of 300 email addresses used by the phishing gang.

Fraudsters were keen to steal login details for accounts so they could avoid paying the charges dating sites levied before users could swap messages with other members, said Mr Mutton.

Using on-site messages the fraudsters hope to befriend others and then try to extract cash to help pay for a non-existent medical condition or to aid fictitious relatives.

Significant amounts of cash could be stolen this way, said Mr Mutton, pointing to the case of Karen and Tracy Vasseur, of Colorado, who were jailed in 2013 for stealing more than $1m (£590,000) from 374 people using dating-site scams.